application-whitelisting « WordPress.com Tag Feed

Continuous Monitoring: Holy Grail to FISMA Compliance – or Not?

patrickgdean — Wed, 02 Jan 2013 18:28:32 +0000

Well is it or is it not? Who cares? Let’s take out the debate about whether or not the new FISMA regulations actually do anything for security practices, and face the reality that we, as government entities (whether directly employed by or contractually attached to a government entity), must fulfill our compliance obligations. Those of us who want to actually secure our environments will not only abide by the compliance mandates, but we will also implement security standards and practices that truly improve security within our appointed domains

With the variant types and levels of threats, the exponential growth in numbers of attempted attacks and the possibility that some threats are state sponsored, federal government security professionals that are responsible for the nation’s information must do everything possible to minimize the attack surfaces provided to our enemies. The days when a Firewall and an antivirus product provided security to our resources are long gone.

We must utilize a Defense-in-Depth strategy to minimize our vulnerabilities. Defense-in-Depth relies on a layered stack of defense technologies joined together into a mesh, that properly designed and implemented, can provide a high level of fortification for our enterprises. These layers have typically been comprised of products such as: Firewalls, DMZ’s. Intrusion Prevention Systems, encryption technologies, VPN’s and antivirus products. Stopping short of the goal of complete protection, our endpoints have been a particular problem for security professionals. For years, protection for our endpoints has been based on blacklisting antivirus products. We all know that blacklist based antivirus products have their shortcomings. Application whitelisting based products not only overcome the shortcomings of antivirus products, but add addition functionality that most antivirus products do not or cannot perform.

“Lockdown” application whitelisting is a technology that has been around for many years and has been successfully deployed in narrowly focused controlled environments such as SCADA systems and fixed function devices. Advanced Threat Protection, which encompasses application whitelisting as well as memory protection and trusted change mechanisms, has matured to the place where it is being deployed and successfully maintained in large enterprises, including the Federal Government.

Many of the new threat vectors take advantage of vulnerabilities that other portions of the Defense-in-Depth stack cannot defend against. As security professionals, we have seen many breaches over the last 16 months that have one thing in common: a user on an endpoint within the organization or its ecosystem (like a defense contractor). People make mistakes, and we have to protect them (and our organization) as best we can.

Social engineering techniques make it easy to get a person to make a mistake and set off a malware attack; it happens every day. Once an attack has started, the perpetrator wants to have some form of payload (malicious code) loaded onto the user’s machine or leverage it to other systems inside the network. IDS and antivirus providers do a decent job at stopping this threat as long as they have seen it in the past and have developed hash values for the known malware. What these providers cannot stop are the threats that are zero-day (never seen before malware) and memory based attacks. Memory based attacks happens when malware is loaded into memory space of an already running program and can be executed from there. These memory attacks (e.g., DLL injections, Reflective injections) are hard and almost impossible to detect. It is imperative that any application control, application whitelisting or malware detection programs that you are considering have the full and complete ability to stop and report upon any and all in memory attacks. There are a few vendors that claim to have memory protection but very few that are able to do the job completely and correctly. Before you buy any of these products, make sure you do a full and complete set of penetration tests against these products to assure you are getting what they are trying to sell you.

We security professional must combine our tools and techniques into a successful formula in order to provide security for our enterprise and compliance with the regulations.

My Formula for Continuous Monitoring and Control.

(FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) * SOC/NOC/Reporting

Event Mitigation

The first part of the formula: (FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) is the portion that is your Defense-in-Depth mesh woven together in part or in whole by your security team.

The second part of the formula: * SOC/NOC/Reporting is the daily monitoring of events that occur within each and every security product within your domain; hopefully, correlated together into some manageable form via a SOC, NOC or reporting mechanism.

STOP!!!

For us to be compliant with the Continuous Monitoring regulations in FISMA, we are done, right? Well yes, you can stop here and be compliant under the mandates, but have you accomplished real security in your relative domain or are you just filling out paperwork? If you stop here, you are doing yourself and this nation a disservice. The gist of the FISMA requirements are that the agencies must do monthly reporting of inventory assets, as well as the continuous monitoring and reporting of security controls. The key here is that the regulations mention security controls and do not mention security threats. This is where we must go above and beyond the letter of the law to truly perform our duties. So, please, by all means, do the paperwork, follow the regulations, but don’t stop there.

GO…

The final part of the formula: Event Mitigation is where the rubber meets the road, where you take action and move towards fixing the issues that have been uncovered. Without mitigation of the issues, you have not achieved real security. Vindicate yourself, your team and your organization. Grab the Grail…

What Is Application Whitelisting?

MIT — Mon, 23 Jul 2012 18:27:12 +0000

Application whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications that might contain viruses or other malware.

Whitelisted applications are granted by permission of the computer user or an administrator. Applications are automatically checked against the list and if found, allowed to run when they try to execute an action.

Some security experts believe that the technique of whitelisting is better than blacklisting, which is the technique that anti-virus (AV) applications use. They argue that blacklisting is too complex and difficult to manage.

Application whitelisting has been in the news more frequently recently because of the feature (called Gatekeeper) in Apple’s new operating system Mountain Lion (OS X 10.8) and because it has been brought up as the solution for addressing the security of large national infrastructure systems.

iOS Security: Apple speaks...

David Harley — Mon, 04 Jun 2012 11:20:00 +0000

…though not exactly with a fanfare of trumpets. The sparsely entitled iOS Security is a brief

Kaspersky and the iOS AV problem

David Harley — Tue, 22 May 2012 21:16:21 +0000

Eugene Kaspersky’s view of the problem of not being allowed to build real antivirus for iOS is

In the Wallpapered Garden...

David Harley — Mon, 23 Apr 2012 17:49:27 +0000

…an app is ok if it’s just misleading rather than blatantly dishonest. Though you’

Apple Futures

David Harley — Tue, 04 May 2010 06:30:32 +0000

I got back a few days ago from Infosecurity Europe 2010, in London, where I had a number of meetings

Beware the iMeme

David Harley — Mon, 03 May 2010 09:17:14 +0000

Ok, this story is several days old. I did hear about it in passing, but I was away from the office a

Bulls, Horses, and the Mac App Whitelisting Rumour

David Harley — Sun, 02 May 2010 12:11:42 +0000

Actually, it never occurred to me that a whitelisting model similar to the iPod/iPad model, where ap

The Death of the Computer

David Harley — Sat, 20 Mar 2010 14:00:52 +0000

I’m going to take a little time to expand on the following paragraph from yesterday’s Ma

Security Fails of 2009 - The Marine One Breach

The Triumfant Blog — Thu, 10 Dec 2009 15:20:49 +0000

As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security. While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009 in hopes that we can learn from the mistakes of the (recent) past. So without further adieu, here is the first of the Security Fails of 2009.

In early March it was reported that the detailed plans for the refresh of the Marine One Helicopter used by the President had been compromised. Soon after, detailed data about the new Joint Strike Fighter were also compromised. Both incidents were traced back to peer-to-peer software that was exploited to get to the data.

These high profile incidents catalyzed some interesting dialogue about peer-to-peer applications in specific and unauthorized applications in general. There was an immediate rush to unilaterally remove all peer-to-peer software from endpoint computers without any qualitative analysis of what other contributing factors led to the loss of sensitive data. Such baby with the bathwater thinking never leads to true progress, and my guess is that peer-to-peer applications have proliferated, not decreased through the year. In fact, an article in CIO magazine cited a study that showed that “an average of six peer-to-peer applications were found in 92 percent of the organisations surveyed”.

A much broader and constructive dialogue emerged around the control of unauthorized applications. Whitelisting has emerged prominently in 2009 as everyone comes to terms with the continued challenges of antivirus software in keeping up with the evolving threatscape. But for whitelisting to be effective – actually block unauthorized applications – the organization must be in lockdown. Otherwise, the endpoint user becomes the greylist administrator and is asked to make a decision to block the software that is suspect. This is where my cynical nature kicks in because in many cases it is the user that initiated the install, and heck yes they want to proceed. Alas, whitelisting joins the distinguished list of “not the silver bullet”.

The dialogue also causes investigation of personal use policies for company endpoint machines. It has become broadly assumed that the computer provided by the employer is an open invitation to load just about any software the user desires. Obviously this has enormous consequences in regards to surety readiness and risk. I have no hard statistics for you, but I can offer an interesting anecdote. Triumfant detects and catalogs all of the applications running an organization’s endpoint population. When we install our software we often ask the customer what would be their worst guess as to how many applications they have in their environment. Then we run our application inventory report and show them the actual count. For any customer that allows for personal use, the number on the report is normally a minimum of ten times of that worse case guess.

The Marine One fail brought the unauthorized application conundrum squarely into the spotlight. For the DoD and the intelligence community, they have already locked down their environment, but the Marine One plans were leaked from a contractor’s machine, so the wall is not airtight. The more vexing question comes for commercial organizations competing for talent in the market, as the use of a PC has become an expected perk of employment – the genie is already out of the bottle. As a result, the IT security folks who already have their hands full protecting the corporate treasures from the bad guys must deal with the increased risk from applications that are loaded by their own employee peers. Add to the problem the growing use of social media applications and this problem brought to light by the Marine One fail is clearly not going away as we close the year.

Windows 7 AppLocker

emesa — Thu, 19 Mar 2009 17:14:23 +0000

“What is this?” was usually my first thought after visiting an end users desk. I can not beleive how many teachers in my school district would install software that was not needed or that added so many startup entries that it would slow the computers boot time. Which of course is the reason I am at the PC in the first place, because they complained that “my PC takes forever to startup and its so slow!” Not to mention unknown software that may bring on malware or other problems.

That was my first year in the school district, since then I have implemented a solution for students and staff not to run unapproved executables. The tool I currently have in place is not as flexible as I would like it to be. We are looking at different solutions to support our goal of only allowing approved applications run. The last few years many companies have been bringing application whitelisting products to the table. But these usually require an additional box and additional software, which may not be all bad but it does add an extra layer.

Windows 7 has many new features and one of them is AppLocker.

“AppLocker is a flexible, easily administered mechanism that enables IT professionals to specify exactly what is allowed to run on user desktops. It provides the flexibility to allow users to run the applications, installation programs, and scripts they need to be productive.”

AppLocker can manage all applications that run on a PC with a simple interface. Group Policy can control this with ease. Watch this Video and see what AppLocker can do.

Here is a related article on what another school district did to maintain applications on their network. Thanks to another reader!